CVE-2018-5560 - Vulnerability Details - OpenCVE

A reliance on a static, hard-coded credential in the design of the cloud-based storage system of Practecol's Guardzilla All-In-One Video Security System allows an attacker to view the private data of all users of the Guardzilla device.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00472.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Practecol, LLC

Guardzilla All-In-One Video Security System

affected

Version	Status	Constraints
`2018`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:guardzilla:gz521w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:guardzilla:gz521w:-:*:*:*:*:*:*:*

No data.

No data.

Project Subscriptions

Vendors	Products
Guardzilla Subscribe	Gz521w Subscribe Gz521w Firmware Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2018-17329	A reliance on a static, hard-coded credential in the design of the cloud-based storage system of Practecol's Guardzilla All-In-One Video Security System allows an attacker to view the private data of all users of the Guardzilla device.

Fixes

Solution

There is no vendor-provided fix available, see work_around.

Workaround

Users concerned with video privacy should disable the cloud storage functionality provided by the vendor.

References

Link	Providers
https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/
https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2019-01-31T21:00:00Z

Updated: 2024-09-16T21:04:09.840Z

Reserved: 2018-01-12T00:00:00

Link: CVE-2018-5560

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-01-31T21:29:00.270

Modified: 2024-11-21T04:09:03.990

Link: CVE-2018-5560

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-798

{"containers": {"cna": {"affected": [{"product": "Guardzilla All-In-One Video Security System", "vendor": "Practecol, LLC", "versions": [{"status": "affected", "version": "2018"}]}], "credits": [{"lang": "en", "value": "Discovered by Nick McClendon, Andrew Mirghassemi, Charles Dardaman, INIT_6, and Chris."}], "datePublic": "2018-12-27T00:00:00", "descriptions": [{"lang": "en", "value": "A reliance on a static, hard-coded credential in the design of the cloud-based storage system of Practecol's Guardzilla All-In-One Video Security System allows an attacker to view the private data of all users of the Guardzilla device."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798", "lang": "en", "type": "CWE"}, {"description": "Use of Hard-coded Credentials", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-31T20:57:01", "orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/"}], "solutions": [{"lang": "en", "value": "There is no vendor-provided fix available, see work_around."}], "source": {"advisory": "R7-2018-52", "discovery": "EXTERNAL"}, "title": "Guardzilla All-In-One Video Security System Hard-Coded Credential", "workarounds": [{"lang": "en", "value": "Users concerned with video privacy should disable the cloud storage functionality provided by the vendor."}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@rapid7.com", "DATE_PUBLIC": "2018-12-27T14:05:00.000Z", "ID": "CVE-2018-5560", "STATE": "PUBLIC", "TITLE": "Guardzilla All-In-One Video Security System Hard-Coded Credential"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Guardzilla All-In-One Video Security System", "version": {"version_data": [{"version_name": "2018", "version_value": "2018"}]}}]}, "vendor_name": "Practecol, LLC"}]}}, "credit": [{"lang": "eng", "value": "Discovered by Nick McClendon, Andrew Mirghassemi, Charles Dardaman, INIT_6, and Chris."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A reliance on a static, hard-coded credential in the design of the cloud-based storage system of Practecol's Guardzilla All-In-One Video Security System allows an attacker to view the private data of all users of the Guardzilla device."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-798"}, {"lang": "eng", "value": "Use of Hard-coded Credentials"}]}]}, "references": {"reference_data": [{"name": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/", "refsource": "MISC", "url": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/"}, {"name": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/", "refsource": "MISC", "url": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/"}]}, "solution": [{"lang": "en", "value": "There is no vendor-provided fix available, see work_around."}], "source": {"advisory": "R7-2018-52", "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Users concerned with video privacy should disable the cloud storage functionality provided by the vendor."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T05:40:50.671Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/"}]}]}, "cveMetadata": {"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "cveId": "CVE-2018-5560", "datePublished": "2019-01-31T21:00:00Z", "dateReserved": "2018-01-12T00:00:00", "dateUpdated": "2024-09-16T21:04:09.840Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:guardzilla:gz521w_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D9B0D0E-985D-4D0C-9889-6184E6BF391D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:guardzilla:gz521w:-:*:*:*:*:*:*:*", "matchCriteriaId": "2763BE91-5523-44AB-9FB2-A59F2C3AE186", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A reliance on a static, hard-coded credential in the design of the cloud-based storage system of Practecol's Guardzilla All-In-One Video Security System allows an attacker to view the private data of all users of the Guardzilla device."}, {"lang": "es", "value": "La dependencia de una credencial est\u00e1tica embebida en el dise\u00f1o del sistema de almacenamiento basado en la nube en Guardzilla All-In-One Video Security System, de Practecol, permite que un atacante vea los datos privados de todos los usuarios del dispositivo Guardzilla."}], "id": "CVE-2018-5560", "lastModified": "2024-11-21T04:09:03.990", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "cve@rapid7.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-01-31T21:29:00.270", "references": [{"source": "cve@rapid7.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/"}, {"source": "cve@rapid7.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.rapid7.com/2018/12/27/r7-2018-52-guardzilla-iot-video-camera-hard-coded-credential-cve-2018-5560/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "cve@rapid7.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}